How wannaCry Ransomware Works

What is
Ransomware ?

Ransomwareis a subset of malware in which
the data on a victim's computer is locked, typically by encryption, and payment
is demanded before the ransomed data is decrypted and access returned to the
victim

What is WannaCrypt Ransomware?

WannaCry is a type of ransomware that infected the
National Health Service(NHS) and other organisations across the globe including
government institutions in China, Russia, the US and most of Europe. India was
among the countries worst affected by the WannaCry attack. NHS England was also
the victim of a massive ransomware attack resulting in some patients’
operations being cancelled.

The attack occurred after the USA’s National
Security Agency discovered a vulnerability in Microsoft’s software called EternalBlue.
This exploit was leaked by a hacker group called the Shadow Brokers earlier
this year but the vulnerability was patched by Microsoft as soon as it
happened. The problem comes from older versions of Windows or those without
Windows Updates, as these were not patched by Microsoft and were left open to
attacks. Russia and India were hit particularly hard because Microsoft’s
Windows XP-one of the operating systems most at risk- was still widely used in
these countries.

This
threat arrives as a dropper Trojan that has two components:

·A
component that attempts to exploit the CVE-2017-0145 vulnerability in other computers

·Ransomware
component

It
tries to connect to the following domains:

·www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

·www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

·www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If this
threat successfully connects to the domains, it stops running. Because of this,
IT administrators should NOT block these domains. This threat is not
proxy-aware, so a local DNS record may be required. This does not need to point
to the Internet, but can resolve to any accessible server which will accept
connections on TCP 80.

This
Trojan dropper then creates a service named mssecsvc2.0, whose function is to
exploit the SMB vulnerability in other computers accessible from the infected
system:

This threat uses publicly available
exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially
crafted packet to a targeted SMBv1 server. The exploit code used is
designed to work only against unpatched Windows 7 and Windows Server 2008 (or
earlier OS) systems, so Windows 10 PCs are not affected by this exploit
attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

Installation

When
run, the ransomware component creates the following registry entries:

It may
also create the following files:

It may
create a randomly named service that has the following associated ImagePath:

"cmd.exe /c "<malware
working directory>\tasksche.exe""

Payload

Encrypts files

This
threat searches for and encrypts files with the following filename
extensions:

.123

.jpeg

.rb

.602

.jpg

.rtf

.doc

.js

.sch

.3dm

.jsp

.sh

.3ds

.key

.sldm

.3g2

.lay

.sldm

.3gp

.lay6

.sldx

.7z

.ldf

.slk

.accdb

.m3u

.sln

.aes

.m4u

.snt

.ai

.max

.sql

.ARC

.mdb

.sqlite3

.asc

.mdf

.sqlitedb

.asf

.mid

.stc

.asm

.mkv

.std

.asp

.mml

.sti

.avi

.mov

.stw

.backup

.mp3

.suo

.bak

.mp4

.svg

.bat

.mpeg

.swf

.bmp

.mpg

.sxc

.brd

.msg

.sxd

.bz2

.myd

.sxi

.c

.myi

.sxm

.cgm

.nef

.sxw

.class

.odb

.tar

.cmd

.odg

.tbk

.cpp

.odp

.tgz

.crt

.ods

.tif

.cs

.odt

.tiff

.csr

.onetoc2

.txt

.csv

.ost

.uop

.db

.otg

.uot

.dbf

.otp

.vb

.dch

.ots

.vbs

.der"

.ott

.vcd

.dif

.p12

.vdi

.dip

.PAQ

.vmdk

.djvu

.pas

.vmx

.docb

.pdf

.vob

.docm

.pem

.vsd

.docx

.pfx

.vsdx

.dot

.php

.wav

.dotm

.pl

.wb2

.dotx

.png

.wk1

.dwg

.pot

.wks

.edb

.potm

.wma

.eml

.potx

.wmv

.fla

.ppam

.xlc

.flv

.pps

.xlm

.frm

.ppsm

.xls

.gif

.ppsx

.xlsb

.gpg

.ppt

.xlsm

.gz

.pptm

.xlsx

.h

.pptx

.xlt

.hwp

.ps1

.xltm

.ibd

.psd

.xltx

.iso

.pst

.xlw

.jar

.rar

.zip

.java

.raw

It appends .WNCRY to the filename of encrypted files. For
example:

·file.docx is renamed to file.docx.WNCRY

·file.pdf is renamed to file.pdf.WNCRY

This
ransomware also creates the file @Please_Read_Me@.txt in every folder where
files are encrypted. The file contains the same ransom message shown in the
replaced wallpaper image (see screenshot below).

After
completing the encryption process, the malware deletes the volume shadow
copies. It then replaces the desktop background image with the following
message:

It also
runs an executable showing a ransomnote, which indicates a $300 ransom as well
as a timer:

The
ransomware also demonstrates the decryption capability by allowing the user to
decrypt a few random files, free of charge. It then quickly reminds the user to
pay the ransom to decrypt all the remaining files.

Spreads
to unpatched computers

To spread, this threat uses an
exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security
bulletin MS17-010, which was released on March 14, 2017.

The
exploit code used by this threat to spread to other computers was
designed to work only against unpatched Windows 7 and Windows Server 2008 (or
earlier OS) systems. The exploit does not affect Windows 10 PCs.

The
worm functionality attempts to infect unpatched Windows machines in the local
network. At the same time, it also executes massive scanning on Internet IP
addresses to find and infect other vulnerable computers. This activity results
in large SMB traffic from the infected host, which can be observed by SecOps
personnel.

The
Internet scanning routine randomly generates octets to form the IPv4 address.
The malware then targets that IP to attempt to exploit CVE-2017-0145.
The threat avoids infecting the IPv4 address if the randomly generated value
for first octet is 127 or if the value is equal to or greater than 224, in
order to skip local loopback interfaces. Once a vulnerable machine is found and
infected, it becomes the next hop to infect other machines. The vicious
infection cycle continues as the scanning routing discovers unpatched
computers.

When it
successfully infects a vulnerable computer, the malware runs kernel-level
shellcode that seems to have been copied from the public backdoor known as
DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware
dropper payload, both for x86 and x64 systems.

SHA1s
used in this analysis:

·51e4307093f8ca8854359c0ac882ddca427a813c

·5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

·bd44d0ab543bf814d93b719c24e90d8dd7111234

·87420a2791d18dad3f18be436045280a4cc16fc4

·e889544aff85ffaf8b0d0da705105dee7c97fe26

========== Hacking Don't Need Agreements ==========

Just Remember One Thing You Don't Need To Seek Anyone's To Hack Anything Or Anyone As Long As It Is Ethical, This Is The Main Principle Of Hacking Dream

Thank You for Reading My Post, I Hope It Will Be Useful For You

I Will Be Very Happy To Help You So For Queries or Any Problem Comment Below Or You Can Mail Me At Bhanu@HackingDream.net

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Web Developer, Student and Mechanical Engineer. He Enjoys writing articles, Blogging, Solving Errors, Social Surfing and Social Networking. Feel Free to let me know any of your concerns about hacking or let me know if you need any more methods on hacking anything. Enjoy Learning